-1

Possible Duplicate:
Best way to stop SQL Injection in PHP

I am trying to insert ' sign and " in a mysql table using php. But the content has this two signs I get a mysql error.

 $comment="I like '''' it so ""much"" Jaan";
mysql_query("INSERT INTO `comments` (`id` ,`name` ,`date` ,`comment`) VALUES ('', '$name', '$date', '$comment')");

above one is an example. Whenever an user insert ' or " in his comment the problem begins. I know about mysql_real_escape_string() but i dont want to use this. Bcz My comments are already filtered. Please tell me how I can Insert comment with those syntax. every suggestions are welcome.

Community
  • 1
  • 1
Ding Dong
  • 99
  • 8
  • 3
    STOP. Read [Best way to stop SQL Injection](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php). Problem solved. Ignore all suggestions of "escaping"ing. –  Jul 08 '11 at 16:51
  • 2
    You want to drive in a nail, but don't want to use a hammer... Other than suggesting using your forehead, I can only suggest using the tools provided. Whatever you filtering you think you're doing is probably inadequate, and mysql_real_escape_string() is **THE** official method of preparing data for MySQL queries. – Marc B Jul 08 '11 at 16:54
  • actually i'm also taking input of file names and there a ' or " sing may exists and according to my application i can't change the file names ... so how to input file names. – Ding Dong Jul 08 '11 at 17:00
  • @Paul Sonier how to accept answers ? – Ding Dong Jul 08 '11 at 17:02
  • @suman: go to your profile page (click on your name to get there), click on the questions you've asked, and by the answers, click on the checkbox for the answer that answers the question. – Paul Sonier Jul 08 '11 at 17:13
  • if( accept_rate == 0) do nothing; – Drewdin Jul 08 '11 at 17:21
  • @Álvaro G. Vicario No. "You have to escape is myth." The real solution -- adopted by *every framework I have used* (outside of PHP, and even some inside) -- is to use *parametrized queries* not "escaping". It is 2011. Stop using rubbish. –  Jul 08 '11 at 17:29
  • @pst - Sorry but you didn't get the point of my comment. I was not arguing against prepared statements, was I? Nobody has said nothing agains prepared statements on this thread; don't be paranoid :) – Álvaro González Jul 08 '11 at 17:33
  • @Álvaro G. Vicario "You have to escape input data because it's the only way to produce valid SQL syntax." <-- *This is untrue and what I am opposed to*. Too many people think that "this" (escaping) is the "only way". Using SQL correctly and *validation*, however, are two different beasts. –  Jul 08 '11 at 17:45
  • This is what happens when SQL injection is shown exclusively as a security issue: hordes or programmers that claim "hey, it's just an internal app" or "hey, my server is already secured". You have to care about SQL injection because it's the only way to produce valid SQL syntax. Not doing so is like trying to type a PHP variable without dollar sign. – Álvaro González Jul 08 '11 at 17:51
  • @pst I've rephrased my comment to avoid the expression you seem to hate. I hope it's clearer now. – Álvaro González Jul 08 '11 at 17:52

1 Answers1

0

Escape every string variable with mysql_real_escape_string().

Ondřej Mirtes
  • 5,054
  • 25
  • 36
  • 1
    -1 Please make it stop. See [Best way to stop SQL injection](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php). While this will work it is the *outdated* bad-practice that never dies. –  Jul 08 '11 at 17:15
  • I agree, there are far better solutions than PHP built-in functions and libraries. But I wanted to provide a solution as simple as possible. – Ondřej Mirtes Jul 08 '11 at 17:23
  • Consider also listing the non-escape alternatives (mysqli or PDO, perhaps). A well-rounded answer is a well-rounded answer. –  Jul 08 '11 at 17:30